Lisa, here is a plan that is simple and covers the IRS requirements. I can't take credit for it, as I got it from a tax preparer on another site.

* Include the name of all information security program managers.

Terry

* Identify all risks to customer information.

Fire, theft, flood, earthquake, government seizure of property, software malfunction, mis-addressed or mis-delivered communications. No risk from employees because I have none.

* Evaluate risks and current safety measures.

Yes, they are all risks. Current safety measures include physical locks, up to date professional computer software with all vendor supplied security patches applied within one week of release, and encryption of customer data in digital form.

* Design a program to protect data.

Immediately scan client paper documents into secure encrypted digital storage, then return or shred the paper. Use unique passwords for each login requiring a password. Do not share passwords. Use MFA for tax software access.

* Put the data protection program in place.

Yes.

* Regularly monitor and test the program.

Take this plan off the shelf once per year and read it. Test: get a colleague to come over and promise to buy them a meal if they access customer information in my tax office without my help, within 30 minutes.